Manualshelf

Fabric OS Encryption Administrator's Guide

ManualsBrandsHP ManualsStorageHP SN8000B 4-slot SAN Director Switch
221222223224225226227228229230
202 Fabric OS Encryption Administrator’s Guide
53-1002159-03
Changing IP addresses in encryption groups
5
NOTE
In the event that the signed KAC certificate must be re-registered, you will need to log in to the key
vault web interface and upload the new signed KAC certificate for the corresponding Brocade
Encryption Switch Identity.
You can change the value of the certificate expiration date using the following command:
openssl x509 -req -sha1 -CAcreateserial -in certs/<Switch CSR Name> -days 365 -CA
cacert.pem -CAkey private/cakey.pem -out newcerts/<Switch Cert Name>
In the example above, the certificate is valid for a period of one year (365 days). You can increase
or decrease this value according to your own specific needs.
Changing IP addresses in encryption groups
Generally, when IP addresses are assigned to the Ge0 and Ge1 ports, they should not be changed.
If an encryption group member node IP address must be changed, refer to “IP Address change of a
node within an encryption group” on page 117.
Disabling the encryption engine
The disable encryption engine interface command cryptocfg --disableEE [slot number] should be
used only during firmware download, and when the encryption and security capabilities of the
encryption engine have been compromised. When disabling the encryption capabilities of the
encryption engine, be sure the encryption engine is not hosting any CryptoTarget containers. All
CryptoTarget containers hosted on the encryption switch or FS8-18 blade must either be removed
from the encryption engine, or be moved to different encryption engine in an HA Cluster or
encryption group before disabling the encryption and security capabilities.
Recommendations for Initiator Fan-Ins
For optimal performance at reasonable scaling factors of initiators, targets, and LUNs accessed,
Brocade Encryption Engines (EEs) are designed to support a fan-In ratio of between four and eight
initiator ports to one target port, in terms of the number of distinct initiator ports to a Crypto
Container (i.e., a virtual target port corresponding to the physical target port).